Description:
STG Security reported a vulnerability in the InfronTech WebTide J2EE web application server. A remote user can view files and directories on the system.

It is reported that a remote user can view files and directories on the system by submitting a request appended with the '%3f.jsp' string.

Jeremy Bae at STG Security is credited with discovering the flaw.

The following notification timeline is provided:

2003-10-13 Infrontech notified.
2003-10-15 Second attempt to contact the vendor.
2003-10-15 Vendor replied their new versions are not vulnerable.
2003-10-15 SSR Team tested and confirmed.
2003-10-23 Third attempt to contact the vendor.
2003-10-25 Public disclosure.